Active Security Defense for Software Defined Network
A method is described in which at least one access event matching a predetermined security entry detected by a SDN switch is received; a target host of the access event is determined; and a security validation module corresponding to the predetermined security entry is invoked to obtain a security validation result.
Latest Hangzhou H3C Technologies Co., Ltd. Patents:
This application claims priority to China Patent Application No 201310222656 3, filed on Jun. 4,2013, entitled “An Active Security Defense Method and Apparatus”, which is incorporated herein by reference.
BACKGROUNDThere are a great number of servers and user terminals existing in a network. Usually, the servers and user terminals are referred to as hosts, and basic function of the network is to provide communication services for these hosts. With the development of network technology, the complexity of network has been increased. Nowadays, network administrators care about not only the implementation of communication services, but also the network security. Within the network, hosts are usually the targets of a variety of network attack, This is the reason that developers have focused on providing security solutions for the hosts from different aspects.
Network security is not a single measure, but as stereoscopic concept. In order to ensure the host security, network administrators install security software on the hosts adaptable for user terminals. Network administrators may also increase the network devices for defensing attacks, such as firewalls or intrusion prevention system (IPS). By incorporating the security measures, the security of the hosts is greatly enhanced so as to reduce the possibility of being attacked. Large-scale network may also include, in addition to the user terminals, data centers having a great deal number of servers. With the development of virtualized technology, a physical server may be abstracted to a plurality of logical servers, which are referred to as virtual machines. The services provided by a virtual machine are the same as those provided by a physical server. The security measures for the virtual machines and user terminals may be somewhat different due to the operating system installed thereon and the services provided by the virtual machines. For the same reason, there may be also somewhat different secure measures among different virtual machines. With respect to the complex and differentiated security demands, how to effectively perform the network security is a challenge for network administrators of large-scale network.
In an example, the active security defense method provided by the SDN infrastructure may detect a network security hole in a real-time manner.
At block 101, notification of at least one access event matching a predetermined security entry detected by the SDN switch is received by the SDN controller.
At block 102, a target host of the access event is determined.
At block 103, a security validation module corresponding to the predetermined security entry is invoked to obtain a security validation result for the target host.
In an example, an access event is an event in which a client or external host attempts to access as target host, such as the host H2 attempts to access server2, as shown in
Referring to
The controller may determine the security entry which has been matched by a serial number or other similar identifiers carried in the packet-in message. The controller may also obtain the identification information of the target host ,such as the IP address and/or the MAC address etc., from the packet-in message because the message has carried the original information of the accessed target host. At this moment, the controller invokes a security validation module corresponding to the security entry for the target host. “Invokes” means that the controller causes a security validation module to be executed.
The security validation process may include an access request or message sent to the target host. However, instead of requesting services provided by the target host, the purpose of the security validation process is to determine whether the target host has a security hole. Examples of security holes include whether the target host has up to date patches (e.g. whether it has upgraded the patch in time) whether the target host has a weak password, etc. Such security holes may make the target host vulnerable to attack. For instance, if the host has upgraded the patch then there would not be a security hole relating to the patch., When the operating system of the target host has upgraded to the latest patch, then even if the current access event relates to a network attack, it may be difficult to cause damage to the target host. Thus up to date patches contribute to the defense against attacks or intrusion. According to the above method, the controller is capable of detecting a security hole of the target host before the target host is accessed. This helps to precisely detect the security risk, which is very useful for network administrators.
In an example, the security entry may relate to one specific host to be protected or relate to a plurality of hosts, such as hosts having the IP addresses within a specific section. Hosts protected by the security method may be termed ‘internal hosts’. Once a packet relating to an internal host has matched a security entry in an entry table of a switch, the switch is triggered to report to the controller, and the security validation process is further triggered. In this way, when security entries are deployed on the switches, any accesses causing security risk, i.e., in which the access packet matches a security entry, may trigger the security validation process. As the controller and switches using the active security method help to monitor host security holes, the network administrator is partly relieved of this burden and may pay more attention to other security risks. Further, , when one specific security hole may be utilized by the attacker, the active security defense method is capable of detecting the suspicious behavior so as to actively validate whether the target host has security hole. In this way, corresponding solution may be adopted according to the security validation result. More detailed examples will be described hereinafter.
Security entries may be distributed to one or more switches by the controller. For example the network administrator or software may select which switches to distribute a security entry to according to the host or hosts which it is desired to protect. Referring to
Referring to
After distributing the security entries to switch (S1) via the configuration interface of
In an example, at block 304, the weak-password detecting module constructs a corresponding tabular data stream (TDS) protocol requesting packet to be transmitted to switch (S1) via a packet-out way. That is, the requesting packet is transmuted to Server 1 via switch (S1). TDS requesting packet simulates the normal user registration. The TDS requesting packet may be constructed by referencing a plurality of parameters of the original packet carried by the packet-in message. For instance, the parameters may be the destination IP address of the original packet, i.e., IP address of Server1, and the adopted protocol. As the security hole to be validated relates to the weak password issue, the weak-password detecting module constructs the user password of the TDS requesting packet according to the weak password dictionary internally saved. The weak-password detecting module repeatedly construct TDS request packets, and validate each of the passwords in the weak password dictionary. If any one of the weak password has login successfully, Server1 is determined as having security hole relating to weak password. Otherwise, Server1 is determined as having no weak password issue. In an example, at block 305, the controller 100 gets a response from Server1, and then at block 306, the controller 100 sends a notification to the administrator.
In some examples, as illustrated in the flow chart of
At block 201, at least one access event matching a predetermined security entry detected by the switch is received.
At block 202, the target host of the at least one access event is determined.
At block 203, a determination may be made of whether the target host is in a white list of the security entries. If the target host is in the white list, the process ends. If the target host is not in the white list, the process goes to block 204.
At block 204, the security validating module corresponding to the predetermined security entry is invoked so as to obtain the security validation result of the target host.
At block 205, a determination may be made of whether the target host has security hole. If not, the process goes to block 206. Otherwise, the process goes to block 207.
At block 206, the target host is added to the white list of the security entry, and the process ends.
At block 207, a determination may be made of whether it is needed to notify the administrator. If it is needed to notify the administrator, the process goes to block 208. Otherwise, the process goes to block 209.
At block 208, the security event notification is sent to the administrator.
At block 209, a determination may be made of whether a deny entry has to be distributed. If yes, the process goes to block 210. Otherwise, the process ends.
At block 210, the deny entry is distributed, and the process ends.
At block 202, comparing to the steps in
If the access event toward the SQL server database of Server 1 has invoked the security validation process and it is determined that there is no security hole, the IP address of Server1, i.e., 192.168.1.211 is added to the white list of the security entry. When another host accesses the SQL server database on Server1 again, as the IP address of Server1 has been added to the white list, the security validation process would not be invoked again. Further, as the login password for SQL server database of Server 1 may be changed by other administrators, the security hole may exist if the changed password relates to weak password. Due to the above reason, the controller counts down a timer with a duration, e.g., one month, for the target host when adding the target host to the white list. When the time ends, the controller removes the target host from the white list. After the target host is removed, the security validation process may be invoked when server1 is accessed by other hosts. In this way, the artificial security holes or the security holes caused by other uncontrollable factors can be greatly reduced.
When determined that there is security holes. Referring to
Referring to
It is to be noted that, in other examples, the controller may only send the security event notification to the administrator, instead of distributing, the deny entry. Alternatively, the controller may distribute the deny entry without notifying the administrator. In addition, the corresponding notifying and denying options may be omitted so as to make the administrator more convenient. Furthermore, referring to
The foregoing descriptions are only examples of the present disclosure and are not for use in limiting the protection scope thereof. Any modification, equivalent replacement and improvement made under the spirit and principle of the present disclosure should be included in the protection scope thereof.
Claims
1. An active security defense method, comprising:
- receiving notification of at least one access event matching a predetermined security entry detected by a software defined network SDN) switch;
- determining a target host of the access event; and
- invoking a security validation module corresponding to the predetermined security entry, wherein the security validation module is to obtain a security validation result for the target host.
2. A method in accordance with the method of claim 1 comprising distributing, by a SDN controller, a security entry to a SDN switch and storing in the SDN controller a correspondence between the security module and the distributed security entry.
3. A method in accordance with the method of claim 1 comprising sending a security event notification upon determining the target host has security hole according to the security validation result.
4. A method in accordance with the method of claim 1 comprising distributing at least one deny entry corresponding to the target host and the security entry upon determining the target host has security hole according to the security validation result, wherein a priority of the deny entry is higher than the priority of the corresponding security entry.
5. A method in accordance with the method of claim 1 comprising:
- determining whether the target host is in a white list of the corresponding security entry after the detected access event is received and the target host is determined; and
- invoking the security validation module to obtain the security validation result in response to determining that the target host is not in the white list of the corresponding security entry; and
- adding the target host to the white list of the corresponding security entry in response to determining the target host has no security bole according to the security validation result.
6. A method in accordance with the method of claim 1 comprising counting down a timer with a predetermined duration upon adding the target host to the white list, and removing the target host from the white list when the duration ends.
7. A SDN controller comprising:
- a processor and a non-volatile machine readable storage medium storing instructions executable by the processor to:
- distribute at least one security entry corresponding to a specific security hole to the SDN switch connecting a target host to a network;
- validate whether the target host comprises the security hole when the security entry is matched; and
- prevent the target host from being attacked by access events relating to the specific security hole by the SDN switch upon determining the target host comprises the security hole.
8. A non-transitory machine-readable storage medium encoded with instructions executable by a processor, the machine-readable storage medium comprising:
- instructions to receive notification of at least one access event matching a predetermined security entry detected by a SDN switch;
- instructions to determine a target host of the access event; and
- instructions to invoke a security validation module corresponding to the predetermined security entry to obtain a security validation result.
9. A non-transitory machine-readable storage in accordance with claim 8 comprising instructions to distribute a security entry and save a correspondence between the distributed security entry and the corresponding security validation module.
10. A non-transitory machine-readable storage in accordance with claim 8 comprising instructions to send a security event notification to an administrator upon determining the target host has security hole.
11. A non-transitory machine-readable storage in accordance with claim 8 comprising instructions to distribute at least one deny entry corresponding to the security entry upon determining the target host has security hole, a priority of the deny entry is higher than the priority of the corresponding security entry, and only one flow characteristic regarding the target host of the deny entry is different from that of the security entry, a corresponding action of the deny entry is dropping, and a corresponding action of the security entry is reporting.
12. A non-transitory machine-readable storage in accordance with claim 8 comprising instructions to:
- determine whether the target host is in a white list of the corresponding security entry after the detected access event is received and the target host is determined;
- invoke the security validation module to obtain the security validation result when the target host is not in the white list of the corresponding security entry; and
- add the target host to the white list of the corresponding security entry upon determining the target host has no security hole.
13. A non-transitory machine-readable storage in accordance with claim 12 comprising instructions to:
- count down a timer with a predetermined duration upon adding the target host to the white list, and remove the target host from the white list when the duration ends.
Type: Application
Filed: Jun 3, 2014
Publication Date: Dec 4, 2014
Applicant: Hangzhou H3C Technologies Co., Ltd. (Hangzhou)
Inventor: Guang Ji (Beijing)
Application Number: 14/294,839